-
Notifications
You must be signed in to change notification settings - Fork 42
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Question / Clarification] Overapproximation attribute does more than expected? #651
Comments
When I implemented this I intentionally choose to use to overapproximate as much a possible and to have not even congruence. We typically utilize the
|
I have to discuss with the other developers what we can do. At a first glance, I would guess:
|
@Heizmann Thanks for the clarification. We simply didn't expect that behavior, as the descriptions we found seemed to imply that the Before causing discussions and potentially introducing a different attribute, I'd propose that we experiment a bit with the existing two options:
|
Our current analysis cannot detect if a counterexample is only feasible because of the overapproximation. We are planning to implement such an analysis. Currently, my plan is to issue this as a project for students, so it will be ready only in a few month. (And it may turn out that my current idea for such an analysis will be too costly in practise.) |
We discussed your issue today. The conclusion of our discussion was that the semantics that you expect is more natural. (In fact the current documentation also says that your expectation is justified.) |
We were assuming that Boogie functions labeled with the
{:overapproximation "foo"}
attribute could be used to recognize counter-examples that involve overapproximations of otherwise unsupported or expensive operations. In our current encoding, we use those attributes to define UFs that over-approximate cryptographic hash functions, bitwise operators, and the like.But there seems to be a semantic issue with that attribute. Consider the following Boogie example:
TestBitwiseAnd
as expected: With an underlying UF, the result ofBitwiseAnd(x,y)
is non-deterministic, but fixed for givenx
andy
. So equality must hold.BitwiseAnd
and label it as being an over-approximation (we add{:overapproximation "BitwiseAnd"}
), Automizer suddenly reports the post-condition to be violated. It now replaces the calls to the underlying UF with two independent fresh variables. Sores1
andres2
are no longer constrained to hold the same value.I suspect the relevant code is here where the application of the UF is replaced by a fresh variable.
Especially for cryptographic hash functions, the property of
hash(param) = hash(param)
is pretty important - probably more important than the actual value. And we'd like to make use of the nice feature of Ultimate reporting "unknown" instead of a violation in case an overapproximation attribute occurs in a counterexample.Is that difference in the semantics between labeled and unlabeled Boogie functions really intentional, or is that a bug?
The examples are included here: test.zip
The text was updated successfully, but these errors were encountered: